47/69 Monday, January 26, 2026
Researchers from Symantec and VMware Carbon Black have identified a new ransomware strain named Osiris, which was used in attacks in November 2025 against a major food franchise operator in Southeast Asia. The attackers leveraged a Bring Your Own Vulnerable Driver (BYOVD) technique using a malicious driver known as POORTRY (also called Abyssworker) to disable security software before deploying the ransomware. Researchers emphasize that this Osiris ransomware is not related to the Osiris ransomware variant from 2016, which was a derivative of Locky.
Technical analysis shows that Osiris is a fully featured ransomware capable of stopping services, encrypting data, and dropping ransom notes. It supports multiple command-line options, including target selection, logging, encryption modes (partial or full), and Hyper-V management. The malware excludes certain file types and system directories, appends the .Osiris extension to encrypted files, deletes Volume Shadow Copies (VSS), and terminates processes related to databases, backup systems, and productivity applications. It employs hybrid encryption using ECC and AES-128-CTR, generating unique keys per file, and drops a ransom note named Osiris-MESSAGE.txt containing extortion details and negotiation instructions.
The attack sequence began several days earlier with data exfiltration, using Rclone to upload stolen data to Wasabi cloud storage. The attackers reused tools seen in previous campaigns, including a modified version of Mimikatz (kaz.exe), along with multipurpose tools such as Netscan, Netexec, and MeshAgent. They also used a customized version of RustDesk, masquerading as “WinZip Remote Desktop,” to conceal remote access. The POORTRY driver was then deployed as part of the BYOVD attack to disable endpoint protection (in combination with KillAV) and enable RDP to maintain persistence.
Based on repeated tool usage and overlapping tactics, techniques, and procedures (TTPs), researchers observed behavioral similarities to the INC ransomware group (also known as Warble). However, definitive attribution has not yet been confirmed. Organizations are advised to closely monitor for indicators associated with this new Osiris ransomware variant and strengthen defenses against BYOVD-based attacks.
